In this article, Anthony DeSantis, who oversees information security and infrastructure technology at Neuberger Berman, provides insights on how to stay secure, both by being prudent and taking advantage of the tools at your disposal.
It’s not easy: That’s one thing I often say about cybersecurity. You have to go about securing your information with the same seriousness that you would protecting your home and valuables. Some people have safes, some have alarms. Others leave their car unlocked in the driveway. When it comes to your information, rather than lock your door, you can do things like regularly update apps, maintain antivirus software and use caution with your passwords. These are among the “locking” mechanisms that you need to acknowledge and employ. Ultimately, whether in the real or digital worlds, the question is how much effort you want to put into protecting yourself. I believe taking a little extra care almost always provides value in the end.
Opening the Door to Crooks
Cyberattacks on people generally take advantage of two things: One is known vulnerabilities—problems that may have been uncovered years ago by Microsoft and others, that were fixed in due course but are still present in devices that haven’t been updated. It’s very inexpensive for a bad guy to take advantage of something that is known, because tools are freely available on the web to do so. The good news is, the more you keep your software up to date and the more sophisticated you make your computing environment, the more difficult you will be to crack; chances are, the crook will simply give up and move on to somebody else.
Sadly, the other vulnerability is trust. I think we over-trust in general, although people are learning. Years ago, phone scammers would pose as a “Nigerian prince” who needed help in the form of a loan to free up trapped money in a war-plagued country. Once the money was released, the caller would disappear. This con was really successful because it seemed plausible and compelling. And so, that concept has morphed over and over again into different scams and techniques, involving phone calls, emails and mail to your home. These are what we in the security field call “social engineering” tactics.
As a society, we increasingly share information freely with everyone in the world. In our LinkedIn profiles, and our Facebook and Instagram posts, we give away bits of information that when pieced together can make strangers appear to be trustworthy. They know where you went on vacation, the kind of food you eat, what you drink, your family members’ names, the car you drive. So, to craft a communication that makes you feel comfortable or trusting is easy; and it becomes harder and harder to question such scammers because they seem so plausible. As a result, people who should know better end up sharing a PIN, Social Security number or other key information to their detriment.
What’s the lesson? We all have to be more skeptical and take reasonable precautions.
What Can You Do?
Fortunately, there are a number of basic steps you can take to safeguard your identity, information and assets, some of which you may already be employing:
Use Multifactor Identification. Most everyone uses online banking these days; and every bank I’m familiar with offers multifactor identification, meaning that when you log in, you not only have to provide your username and password (which may or may not have been compromised at some point) but a second “factor” such as a passcode, messaged to your phone right when you want to access an account. To me, multifactor identification is a must-have. There are so-called “man-in-the-middle” techniques where the passcode sent to your phone is intercepted, but those are very specialized, targeted situations; they are not the average, where some guy is taking usernames and passwords and running them against the laundry list of bank accounts or websites. Multifactor ID works in the vast majority of cases.
Manage Your Passwords. Password management is important. There’s a dilemma today: Passwords should be complex—not your mother’s name, for example. So, they often include numbers, capital letters and special characters. But that makes them very hard to remember. As a result, many of us do the absolute wrong thing: We either write down our passwords or use the same one, over and over again. This is a problem given that the average person has credentials at 50 to 100 websites, one or more of which has likely experienced a breach at some time. For example, even if you think an exposed news site has little information about you, the duplicate password you used there could reveal more critical information elsewhere—which a thief can uncover simply by running your password at hundreds of other sites.
That leads me to another useful tool: your computer’s password manager (“Keychain” for Apple users). A password manager removes the burden of remembering 100 different, complex passwords; you only have to remember the password manager’s password. People often say, doesn’t that make the password manager a target? That’s true, but there’s really no way to completely eliminate risk. And in my view, using a manager is less risky than having the same password on 100 websites or writing it down and keeping it where it can be stolen.
Freeze Your Credit (and Maybe Your Online Accounts). Since the Equifax breach, credit agencies have perfected the way you can freeze your credit. You could always do it, but it used to cost money and required many phone calls and letters. And it was very difficult and time-consuming to freeze and then unfreeze your credit if you wanted to make a large purchase like a car. Now, you can generally do this quickly, through an app or web browser. If you are not in the market for new credit, why make it available to be taken advantage of? So, freeze it. Turn it off.
I actually apply this principle to my online accounts. After every session with a financial provider, I disable online account access. When I need it again, I re-enable the account. Why should I leave it available for someone else to hack? This is less convenient, but then security can be hard.
Safeguard Your Email. Email is a nice, juicy target for fraudsters, because it contains so much personal information—about taxes, bank accounts, you name it—and is often left on the computer in your inbox or history. Most email traffic is encrypted in transit, so it’s hard to intercept and looks like gibberish in any case. The bottom line: email is vulnerable in the same way that online accounts or your computer may be. This means that the same defense mechanisms (multifactor identification, password managers, etc.) apply to email. However, it’s important to take another step—to groom your mailbox by deleting and archiving to a safe location, whether at home, in a cloud service or both. Email is simply not the place for the long-term storage of sensitive information.
Back Up Your Data. iCloud, Google Cloud and a host of other services offer convenient storage. This isn’t just a security concern; you want your information to be available if your computer fails. And what if your computer is hit with a ransomware attack, and all your data becomes encrypted? If you decide to pay $1,000 to get the decryption key, you may or may not receive it—or it may not work. With a full backup, you can simply rebuild from scratch. I personally prefer to back up my data both on a local hard drive and the cloud, a belt-andsuspenders approach. If you are concerned about security on the cloud, you can customize access, for example requiring that the login only take place from your home computer or IP address.
Protect Your Home Network. Home internet service often comes with a wireless router, which will have a default password. Using a simple algorithm, it’s very easy to figure out that password. In New York City, for example, most apartments in a building are likely to use the same cable and internet provider. A quick look at your phone will show you the individual WiFi network names. If not changed, they will have basically the same naming convention, from which an enterprising thief can figure out the default passwords and potentially access the networks. This individual may be satisfied to use your WiFi for the internet, but more likely will try to “listen in” on your technology conversations—which means that anything sensitive could be compromised. Customizing the name of the WiFi network and setting your own password will make this work more difficult.
Data Records Stolen or Lost by Industry
14.7 billion data records have been exposed since 2013.
Be Careful of Free WiFi. When you go to a coffee shop and jump on their free WiFi, you have to assume that everyone in the room can hear your digital conversations. Hotel networks are similar; even if they require a password, it usually is tied to the room number or guest’s name, and is easily hackable. Would you tell a stranger your deepest, darkest secrets? If not, you’ll want to protect yourself. One approach is to use a virtual private network (or VPN) service that creates a secure “tunnel” insulating your device from intrusion within the public WiFi network. Nothing is infallible, but VPN will mute your discussion to an inaudible whisper when it comes to digital intruders.
Another hazard is what’s called a rogue asset point. A hacker— maybe parked outside your hotel in a van—will set up a “network” that’s labeled something like “Hilton guest.” When it appears on your phone, you click on it and it lets you in automatically. Pleasantly surprised (or overlooking) that it didn’t ask you for a password or room number, you start searching the internet, while the intruder forages through your data. With a VPN, you won’t be vulnerable to this technique. In either case, if you notice that the phony network is not providing internet access, you should disconnect right away.
Don’t Overshare. For better or worse, social media is now integral to the lives of many Americans. They share what they eat, what they buy, where they are. You can debate the merits of this habit, but what’s apparent is that people often share with those who aren’t really their friends. For example, if the Smiths are in Tahiti posting photographs to Facebook, somebody may figure out that their home in Greenwich, CT is empty and worth a visit. At the very least, you should think about the messages you send, and consider how they can hurt you even if you receive abundant “likes.”
More Hazards Ahead
Where is all this going? To me, social engineering will likely remain the biggest cybersecurity threat for individuals. The scams can be quite sophisticated and come from various angles. One email may not get criminals through the door, but combined with a voicemail, a letter and the use of personal information, it may lead you to open up and become vulnerable to theft. In a sense, this is not a technology issue, because grifters have always been with us. But, with the use of technology, they have become more effective.
So, it’s important to be vigilant and informed. Websites such as “haveibeenpwned.com” allow you to type an email or password to see if it’s been exposed to a breach, and under what circumstances. More broadly, it is prudent to take sensible steps to protect yourself, from the basic (updating, different passwords, antivirus software) to more elaborate (VPNs, credit locks). What you do may depend on how you balance security and convenience, but for my money such safeguards are definitely worth it.
- Review bank and credit card statements for unauthorized transactions
- Keep devices/apps up-to-date
- Use antivirus software and firewall
- Only provide sensitive information on secure website or email
- Avoid entering sensitive information on a public computer or while using public WiFi
- Use VPN service to encrypt data while on any public network
- Use two-factor authentication
- Be safe with passwords
- Use a “passphrase” rather than a sentence
- Don’t reuse or share
- Don’t use “remember password” browser feature
- Use a password manager
- Consider using an information-protection service
- Back up data regularly—to the cloud and locally
- Don’t click on links/open attachments unless the email is expected/verified
- Confirm that it is legitimate by contacting sender directly via predetermined contact info
- Use security/privacy settings on social networks; beware of random contacts from strangers
- Don’t overshare on social media
- Research apps before downloading
- Beware of disaster, current-event or celebrity scandal scams (e.g., Nigerian prince)
- Beware of offers that are too good to be true, require fast action or instill fear
- File your tax return as soon as feasible (to keep scammers from filing with your Social Security number)
- Obtain your annual credit report by visiting www.annualcreditreport.com or calling 877.322.8228
- You can also contact each major reporting bureau individually, for a total of three reports over the course of a year (see Resources for contact information)
- Your credit card company may provide a free credit score with your monthly statement
- Beware of websites that sell credit reports, or of lookalike scamming sites with similar names to legitimate sites
- Credit freeze
- Blocks most lenders from seeing your credit history; prevents identity thieves from setting up accounts in your name
- To apply for credit you will need to “thaw” the freeze temporarily
- Fraud alert
- Warns lenders that you are the victim of identity theft and should take extra steps to verify your identity before granting credit in your name
- Lasts 90 days but can be extended
Department of Homeland Security: “Be Cyber-Smart” website provides useful tips/ information on securing your digital life. www.dhs.gov/be-cyber-smart
Identity Theft Resource Center: Offers assistance to identity theft victims, maintains breach database. www.idtheftcenter.org
Breach Level Index: Has statistics on breaches since 2013. www.Breachlevelindex.com/data-breach-database
Haveibeenpwned.com: Type in your email address or passwords to find out whether you have ever been exposed in a security breach.
Annualcreditreport.com: To receive your free credit report, visit the website or call 877.322.8228.
Credit BureausTo establish a fraud alert, you can to contact one of the three major credit bureaus, which will contact the others. To place a fraud alert with Innovis (a smaller provider), you must reach out to it separately. To establish (or remove) a credit freeze, you must contact all four credit bureaus separately